Mailinglist Archive: opensuse-security (511 mails)
| < Previous | Next > |
Re: [suse-security] *weird* Apache/Firewall problem.
- From: "Argentium G. Tiger" <agtiger@xxxxxxxxx>
- Date: Tue, 14 Aug 2001 18:39:06 -0500
- Message-id: <5.1.0.14.2.20010814182744.028a24b0@xxxxxxxxxxxxxxxxxxxx>
Roberto writes:
Yup, and you'll never believe what the problem was. It wasn't our network
at all. Our ISP has three caching web servers. I shut down the firewall's
forwarding of port 80 to the web server on our DMZ segment.
I then told the SSH Daemon on the firewall to listen on ports 22, 79, 80,
81, and 8889 (just for giggles).
The tech's at our ISP could get a response from the SSH Daemon on ports
22, 79, 81, and 8889, but NOT port 80.
(You should have heard some of the responses as their third tier support
personnel got involved... "Why the hell is he running SSH on port 80??"
*laugh*)
I finally spoke with "that one guy" that lives at every good ISP. You know,
the sysadmin who walks on water, calms a troubled rack of servers with a
gentle gesture, and ... knows things. }:> He figured out that their
caching servers for web traffic might be getting in our way.
What had happened was that I had limited connections to our web server to:
192.168.16.0/24 (both our internal networks), a bank of machines at our
client's work place, and my home firewall. The caching web servers were
_not_ permitted access. Our logs show their caching servers being denied
quite a number of times as they tried to connect to us on port 80.
Eventually, they cached the connection error on all three servers, and
then when I set all the configs back to normal and opened our web server
to the world... The caching servers at our ISP would simply tell all
inbound traffic that port 80 at our site was down.
It's solved, my ISP is now fully aware of the problem, and is working on it.
They're following up with CISCO. They've already called me back at home
with an update to let me know what's going on.
It was three hours on the phone, but after having experience horrible ISP's
over the past few years, I felt _very_ well taken care of by our businesses'
current ISP. That's something you don't get the opportunity to say every
day.
If anyone's interested, we use Everest (www.everestgt.com).
Thank you so much for hanging in there with me and trying to help Robert.
If nothing else, the moral support was very appreciated. :-)
Sorry to hear you're having problems with your ISP Roberto. Hopefully
they'll pull things together for you.
Sincerely,
Argentium
So, addresses, route and masqueraded networks seems ok too...
Yup, and you'll never believe what the problem was. It wasn't our network
at all. Our ISP has three caching web servers. I shut down the firewall's
forwarding of port 80 to the web server on our DMZ segment.
I then told the SSH Daemon on the firewall to listen on ports 22, 79, 80,
81, and 8889 (just for giggles).
The tech's at our ISP could get a response from the SSH Daemon on ports
22, 79, 81, and 8889, but NOT port 80.
(You should have heard some of the responses as their third tier support
personnel got involved... "Why the hell is he running SSH on port 80??"
*laugh*)
I finally spoke with "that one guy" that lives at every good ISP. You know,
the sysadmin who walks on water, calms a troubled rack of servers with a
gentle gesture, and ... knows things. }:> He figured out that their
caching servers for web traffic might be getting in our way.
What had happened was that I had limited connections to our web server to:
192.168.16.0/24 (both our internal networks), a bank of machines at our
client's work place, and my home firewall. The caching web servers were
_not_ permitted access. Our logs show their caching servers being denied
quite a number of times as they tried to connect to us on port 80.
Eventually, they cached the connection error on all three servers, and
then when I set all the configs back to normal and opened our web server
to the world... The caching servers at our ISP would simply tell all
inbound traffic that port 80 at our site was down.
It's solved, my ISP is now fully aware of the problem, and is working on it.
They're following up with CISCO. They've already called me back at home
with an update to let me know what's going on.
It was three hours on the phone, but after having experience horrible ISP's
over the past few years, I felt _very_ well taken care of by our businesses'
current ISP. That's something you don't get the opportunity to say every
day.
If anyone's interested, we use Everest (www.everestgt.com).
Thank you so much for hanging in there with me and trying to help Robert.
If nothing else, the moral support was very appreciated. :-)
P.S.
My delayed reply is due to Telecom Italia network problems... Two days down...
;-(
Sorry to hear you're having problems with your ISP Roberto. Hopefully
they'll pull things together for you.
Sincerely,
Argentium
| < Previous | Next > |